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1 . An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 
CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than 
the payment of the issue fee. 



2. Authorization for this examiner's amendment was given in a telephone interview with Mr 
Gregory D. Leibold on June 17, 2009. 



3. The applicant has been amended as follow: 



1 . (Currently Amended) A system for identifying principals within a computing environment, the 
system comprising: one or more processing units; at least one memory including instructions 
that, when executed by the one or more processors, create a system comprising: a plurality of 
principal objects, wherein each principal object corresponds to a specific principal authenticated 
to perform a digital action within the computing environment and wherein each principal object 
is operable for use by a computer process within the computing environment to associate a 
plurality of resource objects with the specific principal corresponding to the principal object; a 
plurality of identity claims, wherein each identity claim uniquely identifies the specific principal 
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corresponding to each specific principal object, and wherein at least one of the plurality of 
principal objects comprises two or more identity claims each uniquely identifying the specific 
principal corresponding to the at least one principal object; and a plurality of identity references, 
wherein each of the plurality of identity references comprise at least part of one of the resource 
objects within the computing environment, and wherein each of the plurality of identity 
references identifies its associated resource object as being associated with a specific principal 
based on a link assertion within the identity reference to a specific identity claim [[. ] ]; wherein 
each of the plurality of identity claims comprises a type assertion and a value assertion that 
collectively identify the specific principal corresponding to the principal object to which each of 
the identity claims are associated; wherein the link assertion within each of the plurality of the 
identity references comprises the type assertion and the value assertion specified in the specific 
identity claim to which each identity reference is linked. 

2-4.(Canceled) 

5. (Original) A system as defined in claim [[4]] J^wherein a first type assertion for a first identity 
claim associated with a first principal object indicates that the value assertion in the first identity 
claim comprises an electronic mail address uniquely associated with a first principal 
corresponding to the first principal object. 

6. (Original) A system as defined in claim 5, wherein the first identity claim further comprises a 
start time reference assertion indicating a point in time when the email address was initially 
associated with the first principal. 
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7. (Original) A system as defined in claim 6, wherein the first identity claim further comprises an 
end time reference assertion indicating a point in time when the association between the email 
address and the first principal lapses. 

8. (Original) A system as defined in claim[[4]] 1, wherein a second type assertion for a second 
identity claim associated with the first principal object indicates that the value assertion in the 
second identity claim comprises a telephone number uniquely associated with the first principal. 

9. (Original) A system as defined in claim [[2]] J_, wherein the computing environment is a 
distributed computing system, and wherein at least one identity reference is maintained on a 
computer system different than a computer system on which the identity claim linked to the 
identity reference is maintained. 

10-27 (Cancelled). 

28. (Currently Amended) A computer-implemented method for identifying a first principal 
authenticated to perform a digital action within a computing environment including at least a first 
computer system, the method comprising: creating, by the first computer system, a principal 
object operable for use by a computer process within the computing environment to identify the 
first principal as being associated with a plurality of resource objects maintained within the 
computing environment; associating with the principal object a first identity claim uniquely 
identifying the first principal within a particular identification scheme, wherein unique 
identification of the first principal within the particular identification scheme is accomplished by 
assignment of unique identification strings to each of a plurality of principals; receiving a 
plurality of resource objects associated with a plurality of application programs, wherein each of 
the plurality of resource objects comprise an identity reference comprising a declaration that 
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links each resource object to the principal object; identifying within the computing environment 
each of the plurality of resource objects as being associated with the first principal based on the 
declaration links contained in the associated identity references, wherein the computer process 
utilizes identification of each of the plurality of resource objects to the first principal to perform 
at least one task in connection with each identified resource object; and creating a phantom 
principal object in response to receiving a resource object having a identity reference comprising 
a declaration that does not link the resource object to the principal object, the declaration 
comprising an identification string uniquely identifying a second principal within the particular 
identification scheme, and wherein the phantom principal object is created to include the 
identification string assigned to the second principal, wherein the resource object is associated 
with the phantom principal object; saving the phantom principal object to a data store containing 
the principal object corresponding to the first principal; receiving a new principal object; and 
replacing the phantom principal object with the new principal object. 

29. (Original) A method as defined in claim 28, wherein the receiving act comprises: receiving a 
first resource object having associated therewith a first identity reference linked to the first 
identity claim based on a first declaration comprising a unique identification string assigned to 
the first principal, wherein the first resource object represents a first file associated with a first 
application program; and receiving a second resource object having associated therewith a 
second identity reference linked to the first identity claim based on a second declaration 
comprising the unique identification string assigned to the first principal, wherein the second 
resource object represents a second file associated with a second application program. 

30. (Original) A method as defined in claim 29, wherein the identifying act comprises: 
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identifying the first file and the second file as being associated with the first principal based on 
the linking of the first identity reference and the second identify reference to the first identity 
claim. 

31. (Original) A method as defined in claim 28, further comprising: associating with the 
principal object properties associated with the first principal, wherein the task performed by the 
computer process in response to the identifying act comprises an act of displaying a graphical 
representation of the properties associated with the first principal in conjunction with a graphical 
representation of at least one of the plurality of resources linked to the principal object. 

32. (Original) A method as defined in claim 30, further comprising: associating with the 
principal object properties associated with the first principal, wherein the task performed by the 
computer process in response to the identifying act comprises an act of authenticating access by 
the first principal to at least one of the plurality of resources linked to the principal object. 

33. (Canceled) 

34. (Previously Presented) A method as defined in claim 28, further comprising: receiving a 
second principal object, wherein the second principal object comprises a second identity claim 
that comprises the identification string assigned to the second principal; and in response to 
determining that the phantom principal object and the second principal both correspond to the 
second principal, deleting the phantom principal object from the data store and saving to the data 
store the second principal object such that the second principal object is operable for use by the 
identifying act. 

35. (Original) A method as defined in claim 28, wherein the first identity claim is stored in the 
computing environment in a data store, the method further comprising: in response to receiving a 
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second identity claim for storage into the data store, determining whether the second identity 
claim and the first identity claim both specify an identical unique identification string; and in 
response to determining that both the first identity claim and the second identity claim specify 
the identical unique identification string, invoking a fault resolution process to determine a 
primary identity claim that is to be stored in the data store and available to the identifying act. 

36. (Original) A method as defined in claim 35, wherein the invoking act comprises: merging 
data stored in the second identity claim into the first identity claim. 

3 7. (Original) A method as defined in claim 35, wherein the invoking act comprises: deleting the 
first identity claim; and storing in the data store the second identity claim. 

38. (Canceled) 

39. (Currently Amended) A computer storage medium encoding computer readable instructions 
that when executed perform a method for identifying a first principal authenticated to perform a 
digital action within a computing environment, the method comprising: creating a principal 
object operable for use by a computer process within the computing environment to identify the 
first principal as being associated with a plurality of resource objects maintained within the 
computing environment; associating with the principal object a first identity claim uniquely 
identifying the first principal within a particular identification scheme, wherein unique 
identification of the first principal within the particular identification scheme is accomplished by 
assignment of unique identification strings to each of a plurality of principals; receiving a 
plurality of resource objects associated with a plurality of application programs, wherein each of 
the plurality of resource objects comprise an identity reference comprising a declaration that 
links each resource object to the principal object; identifying within the computing environment 
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each of the plurality of resource objects as being associated with the first principal based on the 
declaration links contained in the associated identity references, wherein the computer process 
utilizes identification of each of the plurality of resource objects to the first principal to perform 
at least one task in connection with each identified resource object[[.]] ; wherein the receiving act 
comprises: receiving a first resource object having associated therewith a first identity reference 
linked to the first identity claim based on a first declaration comprising a unique identification 
string assigned to the first principal, wherein the first resource object represents a first file 
associated with a first application program; and receiving a second resource object having 
associated therewith a second identity reference linked to the first identity claim based on a 
second declaration comprising the unique identification string assigned to the first principal, 
wherein the second resource object represents a second file associated with a second application 
program. 

40. (Cancelled). 

41 . (Original) A method as defined in claim [[40]] 39, wherein the identifying act comprises 
identifying the first file and the second file as being associated with the first principal based on 
the linking of the first identity reference and the second identify reference to the first identity 
claim. 

42. (Original) A method as defined in claim 39, further comprising: associating with the 
principal object properties associated with the first principal, wherein the task performed by the 
computer process in response to the identifying act comprises an act of displaying a graphical 
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representation of the properties associated with the first principal in conjunction with a graphical 
representation of at least one of the plurality of resources linked to the principal object. 

43. (Original) A method as defined in claim 41, further comprising: associating with the 
principal object properties associated with the first principal, wherein the task performed by the 
computer process in response to the identifying act comprises an act of authenticating access by 
the first principal to at least one of the plurality of resources linked to the principal object. 

44. (Original) A method as defined in claim 39, wherein the first identity claim is stored in the 
computing environment in a data store, the method further comprising: in response to receiving a 
second identity claim for storage into the data store, determining whether the second identity 
claim and the first identity claim both specify an identical unique identification string; and in 
response to determining that both the first identity claim and the second identity claim specify 
the identical unique identification string, invoking a fault resolution process to determine a 
primary identity claim that is to be stored in the data store and available to the identifying act. 

45. (Original) A method as defined in claim 44, wherein the invoking act comprises: merging 
data stored in the second identity claim into the first identity claim. 

46. (Original) A method as defined in claim 44, wherein the invoking act comprises: deleting the 
first identity claim; and storing in the data store the second identity claim. 

47. (Original) A method as defined in claim 39, wherein each of the plurality of identity claims 
comprises a type assertion and a value assertion that collectively identify the specific principal 
corresponding to the principal object to which each of the identity claims are associated. 
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48. (Original) A method as defined in claim 47, wherein the link assertion within each of the 
plurality of the identity references comprises the type assertion and the value assertion specified 
in the specific identity claim to which each identity reference is linked. 

49. (Original) A method as defined in claim 48, wherein a first type assertion for a first identity 
claim associated with a first principal object indicates that the value assertion in the first identity 
claim comprises an electronic mail address uniquely associated with a first principal 
corresponding to the first principal object. 

4. Following is an examiner's statement of reasons for allowance: 

5. With respect to claims 1, 5-9, 28-32, 34-37, 39, and 41-49 the prior art of record, 
individually or in combination, fails to teach, suggest or render obvious the claimed invention in 
combination with specific amended limitations as recited in claims 1, and 39. 

6. Any comments considered necessary by applicant must be submitted no later than 
the payment of the issue fee and, to avoid processing delays, should preferably accompany the 
issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance. 

Conclusion 

7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tammy T. Nguyen whose telephone number is 571-272- 3929. 
The examiner can normally be reached on Monday - Friday 8:30 - 5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William Vaughn can be reached on 571-272-3922. The fax phone number for the 
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organization where this application or proceeding is assigned is 571-273-8300. Information 
regarding the status of an application may be obtained from the Patent Application Information 
Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from 
a USPTO Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/THANH TAMMY NGUYEN/ 

Primary Examiner, Art Unit 2444 



